Malware Analysis
Checking access...
Malware analysis is the process of determining the functionality, origin, and potential impact of a malicious software sample. It answers critical questions: What does this malware do? How does it communicate? What data does it target? How can we detect and block it?
Malware analysis is a core capability for incident response. When a suspicious binary is found on a compromised system, analysis determines whether it is a known commodity malware, a custom tool, or — most importantly — whether it has exfiltrated data and how to block its C2 infrastructure.
Analysis Approaches
Malware analysis is divided into two complementary approaches:
| Approach | Method | Output | Time Required | Skill Level |
|---|---|---|---|---|
| Static analysis | Examining the file without executing it | File type, hashes, strings, imports, YARA matches | Minutes-hours | Beginner-Intermediate |
| Dynamic analysis | Executing the malware in a controlled sandbox | Network traffic, process creation, file modifications, registry changes | Hours | Intermediate |
| Reverse engineering | Disassembling and decompiling the binary | Full understanding of logic, algorithms, embedded configuration | Days-weeks | Advanced |
The Analysis Decision Tree
Not every sample requires full reverse engineering. The analysis depth should match the threat:
Sample Collected├── Is it already known? (VT lookup, hash databases)│ ├── Yes → Check analysis reports; update detections│ └── No → Proceed├── Static analysis│ ├── Identified as known family?│ │ ├── Yes → Check family TTPs; update detections│ │ └── No → Proceed├── Dynamic analysis (sandbox)│ ├── Clear C2, persistence, exfiltration observed?│ │ ├── Yes → Block IOCs; update detections; done│ │ └── No → Proceed to full reverse engineering└── Reverse engineering (Ghidra/IDA) └── Full understanding of capability and intentStatic Analysis
1. File Type Identification
# Linux — identify file typefile suspicious_sample.bin# Output: PE32 executable (GUI) Intel 80386, for MS Windows
# Windows — identify file type (Sysinternals)sigcheck -a suspicious_sample.exe
# Check if the file is packed (UPX, themida, etc.)# Packed files have few readable strings and high entropy| Indicator | Packed File | Normal File |
|---|---|---|
| Section names | UPX0, UPX1, UPX2 or custom | .text, .data, .rdata, .rsrc |
| Entropy | High (> 7.0) — compressed/encrypted sections | Lower (~5.0-6.5) — readable code |
| Import table | Minimal (only LoadLibrary, GetProcAddress) | Full set of API imports |
| String count | Very few readable strings | Many readable strings (URLs, registry paths, commands) |
2. Hash Calculation and Lookup
# Calculate hashessha256sum suspicious_sample.exemd5sum suspicious_sample.exe
# VirusTotal lookup via APIcurl -X POST 'https://www.virustotal.com/api/v3/files/{hash}' \ -H 'x-apikey: YOUR_API_KEY'3. String Analysis
Strings reveal hardcoded configuration data, URLs, IPs, registry keys, and commands:
# Extract all printable stringsstrings -n 8 suspicious_sample.exe > strings.txt
# Look for suspicious patternsgrep -i "http\|https\|ftp" strings.txt # URLsgrep -i "\\\\" strings.txt # Network pathsgrep -i "HKEY\|CurrentVersion\\Run" strings.txt # Registry persistencegrep -i "C:\\\\(Users\\|Windows\\|Program)" strings.txt # File pathsgrep -i "Mutant\|Mutex\|Event" strings.txt # Named objectsgrep -i "CreateRemoteThread\|VirtualAllocEx\|WriteProcessMemory" strings.txt # Injection APIsExample strings output from a TrickBot sample:
TrickBotconfig.binhttps://evil-c2.com/gate.phpuser_agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0server_1: 185.130.5.213:443server_2: 203.0.113.50:8443group_tag: finance_2026C:\Users\*\AppData\Roaming\TrickBot\4. PE (Portable Executable) Analysis
# PE analysis with pecheckpecheck suspicious_sample.exe
# PE analysis with pefile (Python)python3 -c "import pefilepe = pefile.PE('suspicious_sample.exe')print('Sections:')for section in pe.sections: print(f' {section.Name.decode().strip():<10} | VA: {section.VirtualAddress:08x} | Size: {section.SizeOfRawData:08x} | Entropy: {section.get_entropy():.2f}')print('Imports:')for dll in pe.DIRECTORY_ENTRY_IMPORT: print(f' {dll.dll.decode()}') for imp in dll.imports: print(f' {imp.name.decode() if imp.name else f\"Ordinal: {imp.ordinal}\"}')"Suspicious imports to look for:
| Category | APIs | Indicates |
|---|---|---|
| Process injection | OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, NtUnmapViewOfSection | Shellcode injection, process hollowing |
| Network | socket, connect, send, recv, InternetOpen, HttpSendRequest | C2 communication, data exfiltration |
| Credential access | CreateToolhelp32Snapshot, MiniDumpWriteDump, SamConnect, CryptUnprotectData | Password dumping, LSASS access |
| Persistence | RegCreateKeyEx, RegSetValueEx, CreateService, SchTasksRegister | Adding Run keys, services, scheduled tasks |
| Anti-analysis | IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess, Sleep(0xEA60) | Anti-debug, anti-sandbox timing checks |
| File operations | CreateFile, WriteFile, DeleteFile, MoveFile, FindFirstFile | File manipulation, ransomware encryption |
YARA Rules
YARA (Yet Another Recursive Acronym) is a tool for creating and matching malware signatures based on textual or binary patterns. YARA rules are the industry standard for malware classification and detection.
YARA Rule Structure
rule Suspicious_CreateRemoteThread{ meta: description = "Detects samples using CreateRemoteThread for process injection" author = "Malware Analysis Team" date = "2026-01-16" reference = "https://attack.mitre.org/techniques/T1055/" severity = "high"
strings: $s1 = "OpenProcess" fullword $s2 = "VirtualAllocEx" fullword $s3 = "WriteProcessMemory" fullword $s4 = "CreateRemoteThread" fullword $s5 = "NtUnmapViewOfSection" fullword
condition: // Any 3 of the 5 injection APIs indicate malicious intent 3 of ($s*)}YARA — Real-World Rule: TrickBot
rule TrickBot_Loader{ meta: description = "Detects TrickBot loader based on known strings and PE characteristics" author = "Malware Analysis Team" date = "2026-01-16" reference = "https://attack.mitre.org/software/S0266/"
strings: $str1 = "TrickBot" wide ascii $str2 = "config.bin" wide $str3 = "/gate.php" wide $str4 = "group_tag" wide $str5 = "windows_update_" wide
condition: (2 of ($str*) or $str1) and pe.imports("kernel32.dll", "CreateProcess") and pe.sections[0].name == ".text"}Running YARA
# Compile rulesyarac rules.yara rules.yarc
# Scan a single fileyara rules.yara suspicious_sample.exe
# Scan a directory recursivelyyara -r rules.yara /evidence/malware/
# Scan with metadata outputyara -e rules.yara suspicious_sample.exeDynamic Analysis (Sandboxing)
Dynamic analysis executes the malware in a controlled, isolated environment to observe its behaviour. This is the most efficient way to understand what a malware sample actually does.
Sandbox Setup Requirements
| Component | Purpose | Tool |
|---|---|---|
| Isolated VM | Safe execution environment | VirtualBox or VMware with host-only networking |
| Network monitoring | Capture C2 traffic | INetSim (fake internet), tcpdump, Wireshark |
| Process monitoring | Observe process creation and injection | Process Monitor (Procmon), Process Explorer |
| Registry monitoring | Track persistence changes | Regshot (before/after comparison) |
| File monitoring | Track file creation, modification, deletion | Procmon, File System Auditor |
| API monitoring | Capture system calls | API Monitor, Frida |
Cuckoo Sandbox / CAPE
Cuckoo is the open-source standard for automated malware analysis. CAPE (Config And Payload Extraction) is its modern successor:
# Submit a sample to Cuckoocuckoo submit suspicious_sample.exe
# Submit with optionscuckoo submit --timeout 120 --enforce-timeout \ --machine win10-vm \ --options "procmem=yes,filewrite=yes" \ suspicious_sample.exe
# Check analysis statuscuckoo statusANY.RUN (Cloud Sandbox)
ANY.RUN is an interactive cloud-based sandbox that shows real-time analysis:
Key features:
- Live process tree with screen recording
- Network traffic viewer (HTTP, DNS, TCP/UDP)
- Registry and file system changes
- MITRE ATT&CK technique mapping
- YARA and Suricata rule matching
- IoC extraction (IPs, domains, hashes, mutexes)
Dynamic Analysis — What to Look For
| Behaviour | What It Indicates | Detection Opportunity |
|---|---|---|
| DNS query to newly registered domain | C2 lookup, DGA | Domain age check, threat intel lookup |
HTTP POST to /gate.php | Beaconing, data exfiltration | Network signature, TLS fingerprint |
Injects code into explorer.exe | Process injection, stealth | Sysmon Event ID 8 (CreateRemoteThread) |
| Creates Run key in registry | Persistence | Sigma rule for registry persistence |
| Connects to localhost:xxx | Named pipe, inter-process communication | Pipe event monitoring |
| Deletes volume shadow copies | Ransomware (pre-encryption) | vssadmin.exe execution monitoring |
| Turns off Windows Defender | Defense evasion | Service stop event monitoring |
Reverse Engineering
Reverse engineering disassembles the binary to understand its logic at the code level.
Ghidra (Free, Open-Source)
Ghidra is the NSA’s reverse engineering framework, available for free:
Ghidra Workflow:1. Create a new project2. Import the binary3. Auto-analysis (Ghidra identifies functions, decompiles to C)4. Navigate the decompiled code5. Identify key functions (C2, encryption, installation)6. Rename variables and functions for clarity7. Extract configuration data (embedded C2 URLs, encryption keys)Key features:
- Decompiler (produces readable C-like pseudocode)
- Multi-platform (Windows, Linux, macOS binaries)
- Scriptable (Python, Java, JavaScript)
- Collaborative (multi-user project support)
- Extensible (large plugin ecosystem)
IDA Pro (Commercial)
IDA Pro is the industry standard for professional reverse engineering:
- Superior decompiler (Hex-Rays)
- Extensive plugin ecosystem
- Debugger integration
- Type library support (FLIRT signatures)
Case Study: Analyzing a TrickBot Sample
TrickBot is a banking trojan that evolved into a modular crimeware platform used for initial access, credential theft, and ransomware delivery.
Static Analysis Findings
| Analysis | Finding |
|---|---|
| File type | PE32 executable for MS Windows (GUI) |
| Hash | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| VT detection | 45/70 engines (high detection) |
| Compiler | Microsoft Visual C++ 14.0 (Visual Studio 2015) |
| Packer | Custom packing — no known packer detected; sections have high entropy |
| Strings | C2 URLs, config.bin, group_tag, mutex names, registry paths |
| Imports | socket, connect, recv, send (network); CreateProcess (execution); RegCreateKeyEx (persistence) |
Dynamic Analysis Findings
| Behaviour | Detail |
|---|---|
| Installation | Creates %APPDATA%\TrickBot\ directory and drops config.bin |
| Persistence | Adds Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrickBot |
| C2 beaconing | HTTPS POST to https://evil-c2.com/gate.php every 60 seconds |
| Process injection | Injects main module into explorer.exe to hide from process lists |
| Data collection | Harvests browser passwords, Outlook credentials, RDP saved credentials |
| Defense evasion | Checks for sandbox artifacts (VMware tools, analysis tools); sleeps 5 minutes before executing |
MITRE ATT&CK Mapping
| Technique ID | Technique | Observed In Sample |
|---|---|---|
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys | Creates Run key for persistence |
| T1055.001 | Process Injection: Dynamic-link Library Injection | Injects into explorer.exe |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTPS C2 communication |
| T1003.001 | OS Credential Dumping: LSASS Memory | Attempts MiniDumpWriteDump on lsass.exe |
| T1115 | Clipboard Data | Monitors clipboard for credentials |
| T1057 | Process Discovery | Enumerates running processes for AV/analysis tools |
| T1497 | Virtualization/Sandbox Evasion | Sleep, checks for analysis tools |
Key Takeaways
- Static analysis (file type, hashes, strings, PE headers, YARA) provides initial classification without executing the sample — always start here
- YARA rules enable automated malware detection and classification — write rules for samples you analyse so you can detect them across your environment
- Dynamic analysis (Cuckoo, ANY.RUN) reveals what the malware actually does: C2 communication, persistence, injection, data theft — this is the most efficient analysis method for IR
- Reverse engineering (Ghidra, IDA Pro) is required only for unknown, custom, or heavily obfuscated malware — do not spend days reversing a commodity trojan
- The TrickBot case study shows how static, dynamic, and reverse engineering analysis combine to build a complete picture of a malware sample’s capabilities
- Every malware analysis should produce detection artifacts: Sigma rules for SIEM, YARA rules for files, network signatures for NIDS, and MITRE ATT&CK mappings for IR
Tip
Build a malware analysis lab before you need it. A sandbox VM with INetSim, Procmon, Regshot, and Wireshark takes 2 hours to set up. During an active incident, you will not have 2 hours to configure your analysis environment. Have it ready and tested.